locked down UEFI

I don't have a problem with a pc manufacturer wanting to use UEFI to lockdown the OS that can be installed, but I would not purchase such a machine.My concerns would be three fold:

Would an update to the OS break the system?

Would upgrading the OS be possible?

Which hardware change would prevent a bootup? video, nic, new mb?

Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive. It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience. ~C. S. Lewis

I don't have a problem with a pc manufacturer wanting to use UEFI to lockdown the OS that can be installed, but I would not purchase such a machine.My concerns would be three fold:

Would an update to the OS break the system?

Would upgrading the OS be possible?

Which hardware change would prevent a bootup? video, nic, new mb?

In order for this to work, ANY change in the hardware that requires loading a driver, would have to have a pre-approved key. And I don't see any other way to "lock down" Windows. But I wouldn't buy a MB with this feature unless there was a way to turn if on and off at will. IOW, turn it on when booting Windows but be able to turn it off to boot whatever else I choose. Be it LiveCD, a grub menu, a USB stick or even an older version of Windows. But it does seem that MS is trying to sneak this in in such a way that it precludes users from booting anything but Windows if the manufacturer wants to use the Windows 8 logo. If they succeed, I hope that the US Justice Dept and the EU come down on them hard for anti-trust violations.

Hello,As far as I can tell, the option to disable UEFI Secure Boot should be enabled in every BIOS^H^H^H^H UEFI firmware—the only place I could think of where it would not be available would be OEM builds for government, enterprise, etc.Regards,Aryeh Goretsky

I really have my doubts that Microsoft would go as far as to disable access to any other OS. I think the idea of a secure boot was floated around the meeting table, and everyone agreed it would be a good idea to prevent boot-time malware, viruses, and trojans from interrupting the boot process.Also, I have faith in the linux community to come up with a workaround if this does end up preventing a multiboot option.Adam

Hello,As far as I can tell, the option to disable UEFI Secure Boot should be enabled in every BIOS^H^H^H^H UEFI firmware—the only place I could think of where it would not be available would be OEM builds for government, enterprise, etc.Regards,Aryeh Goretsky

The key word in your post is "should". But the fact that it "should" be enabled by no means means that it "will" be enabled.

I really have my doubts that Microsoft would go as far as to disable access to any other OS. I think the idea of a secure boot was floated around the meeting table, and everyone agreed it would be a good idea to prevent boot-time malware, viruses, and trojans from interrupting the boot process.Also, I have faith in the linux community to come up with a workaround if this does end up preventing a multiboot option.Adam

If were possible for the "linux community" to get around then it would also be possible for the hackers. And I don't doubt for a second the MS would implement it if they thought they could get away with it. Afterall, doesn't Apple prevent you from running other OSs on their hardware? Just because MS doesn't actually manufacture PC hardware doesn't mean they don't feel like they own it. MS has been attempting to "lock down" their control of PC hardware for years. Ever hear of the term "Trusted Computing"?

If were possible for the "linux community" to get around then it would also be possible for the hackers. And I don't doubt for a second the MS would implement it if they thought they could get away with it. Afterall, doesn't Apple prevent you from running other OSs on their hardware? Just because MS doesn't actually manufacture PC hardware doesn't mean they don't feel like they own it. MS has been attempting to "lock down" their control of PC hardware for years. Ever hear of the term "Trusted Computing"?

Hello,Well, yes. Manufacturers make all sorts of interesting custom builds for enterprise customers, and sometimes those products end up in the computer surplus space. I once picked up a motherboard that turned out to work with one particular model of CPU (it was a Fujitsu-Siemens motherboard, I think, originally destined for some kind of OEM use). A friend of mine once picked up a new Unisys laptop that had a monochrome display and metal chassis; apparently it was surplus from a DoD build. I think such things tend to be more the exception than the rule. I can't see a manufacturer wanting to get bad publicity over something like this, can you?Regards,Aryeh Goretsky

lewmur, on Sep 27 2011, 05:54 AM, said:

The key word in your post is "should". But the fact that it "should" be enabled by no means means that it "will" be enabled.

Hello,I think it would require a more significant social engineering attack than we have currently seen to convince an ordinary PC user to go into their UEFI firmware and disable the secure boot option.PC hardware manufacturers are Microsoft customers, and they don't have to be exclusive ones, either (Ubuntu, Android, even Hewlett-Packard's ill-fated WebOS come to mind). If Microsoft doesn't have a compelling OS for them, they'll go somewhere else, just as they are currently doing in the mobile handset and tablet market.It seems to be the Trusted Computing Group is more about providing a secure boot path and operating environment. A quick look here at the membership reveals quite a few companies besides Microsoft, including some whom I think are quite receptive towards Linux, like IBM, Fujitsu, and Aruba Networks.Regards,Aryeh Goretsky

lewmur, on Sep 27 2011, 06:05 AM, said:

If were possible for the "linux community" to get around then it would also be possible for the hackers. And I don't doubt for a second the MS would implement it if they thought they could get away with it. Afterall, doesn't Apple prevent you from running other OSs on their hardware? Just because MS doesn't actually manufacture PC hardware doesn't mean they don't feel like they own it. MS has been attempting to "lock down" their control of PC hardware for years. Ever hear of the term "Trusted Computing"?

Hello,Well, yes. Manufacturers make all sorts of interesting custom builds for enterprise customers, and sometimes those products end up in the computer surplus space. I once picked up a motherboard that turned out to work with one particular model of CPU (it was a Fujitsu-Siemens motherboard, I think, originally destined for some kind of OEM use). A friend of mine once picked up a new Unisys laptop that had a monochrome display and metal chassis; apparently it was surplus from a DoD build. I think such things tend to be more the exception than the rule. I can't see a manufacturer wanting to get bad publicity over something like this, can you?Regards,Aryeh Goretsky

You are missing the point. UEFI is an extra layer of code between the BIOS and the bootloader. It is a standard developed by a consortium of co.s that did include IBM and that, in and of itself, does nothing to preclude any OS from booting. The problem is that MS is telling OEM's that in order to comply with the licensing terms needed to display the Windows 8 logo, they must implement the UEFI in such a way that it COULD exclude the booting of any other OS but Window 8. In fact, not just Win 8 but the particular version of Win 8 covered by the OEM license. (Take note. This is not just for a limited "enterprise" or 'speciality" edition. It is for ANY box displaying the Windows 8 logo.)MS has publically admitted that their demands on the OEMs gives them this ability and are asking everyone to trust them not to use it to prevent Linux from booting (or dual booting) on these machines. I dare say you will take MS at their word. I, for one, don't trust MS as far as could throw Bill Gates.

I have two issues with all this:1) Color me naive, but I just don't really think that Microsoft is the EVIL EMPIRE (everyone knows that's Google ), and that they are soooooo scared of little ol' Linux.and 2) If MS really is trying this in an attempt to lock down the PC marked in their favor, I have a hard time believing they'll get away with it... especially in ANTI-antitrust Europe.We'll see, I guess...

I have two issues with all this:1) Color me naive, but I just don't really think that Microsoft is the EVIL EMPIRE (everyone knows that's Google ), and that they are soooooo scared of little ol' Linux.and 2) If MS really is trying this in an attempt to lock down the PC marked in their favor, I have a hard time believing they'll get away with it... especially in ANTI-antitrust Europe.We'll see, I guess...

I'm not so sure. MicroS does not seem to state anywhere that if you want to install Win8 you must use a locked down UEFI that must prevent other OS installs. But if you want to display our Win8 logo on your machine , then you must use a locked down UEFI - if that might prevent OS installs, that is not our problem. It is the "not our problem" that I think they are incorrect about, as per my OP.

Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive. It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience. ~C. S. Lewis

I'm not so sure. MicroS does not seem to state anywhere that if you want to install Win8 you must use a locked down UEFI that must prevent other OS installs. But if you want to display our Win8 logo on your machine , then you must use a locked down UEFI - if that might prevent OS installs, that is not our problem. It is the "not our problem" that I think they are incorrect about, as per my OP.

The way I read it, this won't effect the DIY market at all. But that is a small percentage of the total market. If MS can lock down the OEM computer market they can effectively maintain their monopoly on the desktop and, more importantly, laptop markets.

The way I read it, this won't effect the DIY market at all. But that is a small percentage of the total market. If MS can lock down the OEM computer market they can effectively maintain their monopoly on the desktop and, more importantly, laptop markets.

Can one be a msWindows OEM without using the logo?

Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive. It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience. ~C. S. Lewis

I don't have a problem with a pc manufacturer wanting to use UEFI to lockdown the OS that can be installed, but I would not purchase such a machine.My concerns would be three fold:

Would an update to the OS break the system?

Would upgrading the OS be possible?

Which hardware change would prevent a bootup? video, nic, new mb?

Here is the latest on MS and the UEFI. In it Adrian Kingsley-Hughes contends that while, without a "kill switch", MS's demands for the Win 8 logo WILL lockout any other OS, that it is absolutely necessary to insure against "rootkits". And I agree with that. But what he misses is that the only way to insure that the OEMs offer a "kill switch" is that MS include that option as part of its Win 8 logo license requirement. If their intent is truly benevolent, that is a simple way to prove it. Anyone here going to hold their breath waiting for MS to take that step?

Yeah, I've read what Mr. Bott thinks. And as far as I'm concerned, he is full of it. IMHO,he is a MS shill. I think that most Linux users pretty much concede that anything that helps secure Windows is a good thing. I, in fact, would prefer to see MS's UEFI solution applied, as is, if that was the only way it could be done. But as I stated in the previous post, all MS needs to do is insist that not only do the OEM's need to have the "secure boot feature" but that they make a "kill switch" available in order to display the Win 8 logo. That is the ONLY way to insure that OEM's will provide the "kill switch". And the only thing it would cost MS is the competition from Linux that they claim doesn't concern them anyway.

The Free Software foundation came out opposing Microsoft's requirements. More than 16,000 people signed the Free Software Foundation statement on “Secure Boot vs Restricted Boot”, which shows the users were concerned. We were expecting some response from the open source industry. Red Hat and Canonical have come forward. The two companies have published a white recommending how to implement 'Secure Boot', to ensure that users remain in control of their PCs.......

The white paper highlights the recommendations for OEMs which include:

The companies recommend that all OEMs allow secure boot to be easily disabled and enabled through a firmware configuration interface. The companies write that it is essential that users are able to remove secure boot restrictions, and boot the software of their choice on the devices that they own. Furthermore, the interface to configure this option should be easily accessible by non-technical users. Of course, this option should only be available to users with physical access to the hardware, and not be accessible via programmatic means.....

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive. It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience. ~C. S. Lewis

Canonical, Red Hat and FOSS all put together don't have the clout to force OEM's to do anything. Only MS, or the anti-trust depts of the worlds govts have that power. And, of course, MS's purse strings have proven before to be to much of a temptation for govt politician to resist. Just look at what happened with the .docx situation.